I recently needed a straightforward medical quote for a minor procedure. Nothing urgent, nothing complex, just an estimate to help me plan. I turned to Apollo Hospitals, one of India’s best-known healthcare brands, with a network spanning dozens of cities and a reputation for catering to international patients. What should have been a five-minute email exchange turned into a frustrating loop of automated replies insisting I “forgot to upload my passport.” No passport, no quote. Simple as that.

At first, I thought it was a glitch. Then I wondered if it was a poorly designed form for medical tourists. But the more I dug, the less it felt like an oversight and the more it felt like a red flag, especially when layered against Apollo’s documented history of data security incidents. This isn’t about fearmongering. It’s about informed choice. And after what I’ve learned, I’ve decided Apollo isn’t a risk I’m willing to take with my personal information. Here’s why.

My Experience: When a Quote Requires a Passport

I filled out Apollo’s online inquiry form with the basics: my name, email, phone number, a brief description of the procedure, and attached medical reports. Standard stuff. Within minutes, I received an automated response:

“Thank you for your inquiry. Please upload a clear copy of your passport to proceed with your treatment cost estimate.”

No explanation. No option to proceed without it. No human follow-up.

I replied, clarifying that I only wanted a ballpark figure and had no intention of traveling or booking yet. Another autoresponder. Same message.

For context: I’ve requested quotes from other major hospital chains and standalone clinics in India and abroad. None demanded ID upfront. Some asked for medical history. A few wanted a phone call. But a passport scan before even discussing cost? That’s a first.

A Pattern of Security Incidents: The Facts

Apollo Hospitals has faced multiple publicly reported data security events in recent years. These aren’t rumors, they’ve been documented by cybersecurity researchers, ethical hackers, and media outlets. Here’s a factual timeline:

• 2018: A vulnerability in Apollo’s online appointment portal (Ask Apollo) exposed personal details of over one million users, including names, phone numbers, and appointment history. An ethical hacker reported it privately, but Apollo initially did not respond.
• 2021: A software update from third-party vendor Kaseya triggered a network-wide system crash across Apollo facilities. While no data loss was confirmed, the incident disrupted operations and raised questions about supply chain security. Apollo filed a police complaint.
• October 2024: The ransomware group Kill Security (aka KillSec) claimed responsibility for breaching Apollo’s systems. They alleged they stole sensitive patient data, including full names, medical diagnoses, Aadhaar numbers, PAN cards, passport scans, vaccination records, payment details, and internal source code. The group threatened to publish the data unless a ransom was paid. Samples were reportedly shared on dark web forums.
• April 2025: Security researchers discovered an unsecured zip file on an Apollo subsidiary website containing medical records, internal credentials, and personal data of at least 94 individuals (including 58 third-party patients). The file reportedly stemmed from the 2024 breach. Despite being notified in January 2025, the exposure remained live for weeks.

These incidents are not isolated. India’s healthcare sector saw 1.9 million cyberattacks in 2022 alone, with hospitals increasingly targeted due to the high value of medical data on the black market.

Apollo has stated it uses encryption, access controls, and complies with India’s IT Act and Digital Personal Data Protection (DPDP) Act 2023. But compliance doesn’t equal immunity. And history shows that when breaches occur, the fallout can be severe.

What Could Go Wrong? The Real Risks of a Data Leak

Let’s be clear: a stolen passport scan isn’t just an inconvenience. When combined with medical history, it becomes a goldmine for identity theft, fraud, and blackmail. Here are some realistic scenarios, none far-fetched:

1. Identity Theft & Financial Fraud
   A passport contains your full name, photo, date of birth, nationality, and passport number. Paired with an address or phone number (easily obtained), criminals can open bank accounts, apply for loans, or file fake tax returns in your name.
2. Medical Identity Theft
   Stolen health records can be used to purchase prescription drugs, file fraudulent insurance claims, or even receive treatment under your name, potentially altering your real medical file with false allergies, conditions, or procedures.
3. Blackmail or Extortion
   Sensitive diagnoses, mental health issues, STDs, fertility treatments, or genetic conditions, can be weaponized. We’ve seen ransomware groups threaten to contact family members or employers with embarrassing medical details.
4. Travel & Visa Fraud
   A forged passport (using your scanned copy) could be used for illegal border crossings, money laundering, or terrorist watchlist manipulation. You might face travel bans or interrogations at immigration, through no fault of your own.
5. Dark Web Sales
   Complete medical + ID dossiers sell for $1,000 or more per record. Once leaked, your data circulates indefinitely. Monitoring services like Have I Been Pwned? can alert you, but they can’t erase the exposure.

These aren’t hypotheticals. The U.S. Federal Trade Commission reports that medical identity theft affects hundreds of thousands annually. In India, Aadhaar-PAN leaks have fueled tax fraud rings. A passport in the wrong hands is a master key.

Apollo’s Privacy Policy: Fine Print, Real Limits

Apollo does have a privacy policy, available on their website and updated to reflect India’s DPDP Act. It states:

• They collect only “necessary” personal data.
• You consent by using their services.
• Data may be shared with affiliates, doctors, and payment processors.
• They’re not liable for breaches beyond their control.

But here’s the catch: “necessary” is self-defined. If their system labels a passport as required for a quote, they can claim it’s essential, even if competitors don’t. And while they promise encryption, no hospital can guarantee 100% security. The 2024 ransomware attack proved that.

You can request data deletion, but only after services are rendered. During the quote phase? You’re already in the system.

Why I’m Choosing to Look Elsewhere

This isn’t about denying Apollo’s clinical expertise. They have skilled doctors, modern facilities, and a long track record. But healthcare isn’t just about treatment, it’s about trust.

When a hospital demands sensitive ID for a basic estimate, especially after multiple breaches, it signals a culture that prioritizes process over privacy. I don’t want my passport sitting in a database that’s been ransomed once and left exposed for months afterward.

I value my data. I value control. And I believe patients should be able to inquire about care without surrendering identity documents on day one.

Final Thoughts: Your Data, Your Choice

I’m not telling anyone to boycott Apollo. That’s not my place. But I am sharing my experience and my reasoning so others can decide for themselves.

If you’re comfortable uploading your passport for a quote, knowing the breach history, that’s your call. For me, the risk outweighs the reward. One data leak could haunt me for years. One quote isn’t worth that.

Healthcare should empower patients, not expose them. Until Apollo revises its data collection practices and demonstrates stronger post-breach accountability, I’ll be taking my inquiries, and my trust, elsewhere.

Word count: 1,008
Opinions reflect the author’s personal experience and judgment.

I came across nordorthopaedics which is a clinic based in Lithuania. I wouldn’t be loath to choose it because I hate Europe (as a personal preference), it’s cold and it’s the same price as Asia. I want to include it because their website has a very clear breakdown of the prices and procedures and you can tailor it yourself and see the prices instantly. This is the way that all clinic websites should be really.

The frontpage lists the price as 4160 Euros and there is a whatsapp number to connect to. But going to a second page gives a better idea of the actual page because you have to add on various other options, and so I’m not sure what that is, perhraps just the implant and surgeon.

There is more information on this first page. The first consultation is free. You can travel ten days after surgery. Pain killers are stopped after one week. Walking unassisted is possible after one month. They use minimally invasive surgery with no muscle cutting. There are no need for changes in the home environment.

So the page with further price breakdown gives the prices in British pounds. Surgery is 3470, the implant is 2340. (Already it’s more than the headline price.) Seven days of physio is seven hundred sterling. There are three choices of implant, two are zimerBiomet with com/mech options, or R3+Polarstem by smith and Nephew. There is an extra charge of 1200 Euros if the BMI is over 70.

Accomodation is available in the apartment with aftercare, ‘from’ 74 pounds sterling a night.

When I chose a few options I got a price of 8510 Euros, which is interesting. A few red flags are that there is no price of extra tests, medicines nor hospital stay nor how long the hospital stay would be. I’ve got a feeling it’s outpatient, meaning it’s not included. So with tests and medicine, and a month of accomodation, perhaps ten thousand Euro, which puts it on par with the prices I am looking at, but it seems FAR better organised and it is DEFINITELY a last to resort to consider if what I’m looking at doesn’t work out. The issue is adding the flights, and it’s a long flight back, and I’d need two operations likely… so I’d probably do two sides if there would be help there.

Hmmmm. Not sure what to think about this actually.

Earlier this year, I contacted Max Super Speciality Hospital in New Delhi to request a basic estimate for a post-operative hospital stay. I was considering hip replacement surgery and wanted to know the approximate cost of staying on for extra days to recover — excluding the cost of the surgery itself.

I live alone, and if I were to undergo major surgery abroad, I would be managing my own recovery without family support. So I thought it might be safer and more practical to remain in hospital for longer than the standard discharge period, if possible. That was the reason behind my enquiry: I wanted to know if Max could accommodate a longer stay after surgery and what the daily cost would be for the room, meals, and standard nursing care.

I had a vague memory of  their website mentioning that hip replacement procedures started from around $6,000 (don’t quote me on that!). I also had a quote from a reputable hospital in Vietnam that included seven days of post-operative care within the total surgery cost as a standard package. I was trying to compare options. My thinking was that, although India was farther to travel, the daily cost for hospital stays might be lower — and that could make the total recovery plan more affordable overall.

Over nearly two weeks, I exchanged multiple emails with the international patient services team at Supermax. Although I made it clear that I was not yet submitting medical records or asking for a full surgical quote, they repeatedly requested scans and reports before giving any cost details. I explained several times that I only wanted a general idea of daily post-op costs to help me assess whether to pursue treatment there at all.

Eventually, after repeated follow-up, I received a quote of $2,500 per day for a general ward stay including meals and nursing — just for the post-op recovery period. This was surprising.

Why I Think This Matters

• That quote is far above typical rates in India, even for high-end hospitals. Most estimates put daily post-op care (excluding surgery) at roughly $100–$500 per day depending on ward level and support needed.
• The delay and repeated demands for medical files made the process difficult. For patients planning surgery abroad — especially solo travellers like me — clear, upfront communication matters. It’s one of the things people weigh when choosing a hospital.

Why I’m Sharing This

I’m writing this as part of my personal health journey, to help others facing similar decisions: chronic pain, managing your own care, and evaluating surgery options across countries.

This post reflects my actual experience in June 2025 and includes direct communication with Max’s international patient services team. Prices and policies may change, and this isn’t a review of their surgical outcomes — just a report on how the enquiry process went when I asked a very specific and practical question about recovery costs.

If Max Healthcare wishes to clarify or add any info, I’d be happy to include an update.